ci-multinode: Update configuration for external TLS using Vault CA

markgoddard · markgoddard · commit 88f83b9f5869 · 2024-04-15T16:27:03.000+01:00
diff --git a/.automation.conf/tempest/tempest-ci-multinode.overrides.conf b/.automation.conf/tempest/tempest-ci-multinode.overrides.conf
@@ -32,4 +32,4 @@ max_microversion = 3.70
 build_timeout = 600
 
 [dashboard]
-dashboard_url = http://192.168.39.2
+dashboard_url = https://192.168.39.2
diff --git a/etc/kayobe/environments/ci-multinode/kolla.yml b/etc/kayobe/environments/ci-multinode/kolla.yml
@@ -8,12 +8,16 @@ kolla_enable_designate: true
 kolla_enable_redis: true
 kolla_enable_barbican: true
 
-# The multinode environment supports Backend and internal TLS , but it must be
-# enabled in the correct order. See
+# The multinode environment supports backend, external and internal TLS , but
+# it must be enabled in the correct order. See
 # https://stackhpc-kayobe-config.readthedocs.io/en/stackhpc-yoga/configuration/vault.html
 # for details.
+# kolla_enable_tls_external: true
 # kolla_enable_tls_internal: true
 
+kolla_public_openrc_cacert: "{{ '/etc/pki/tls/certs/ca-bundle.crt' if os_distribution in ['centos', 'rocky'] else '/etc/ssl/certs/ca-certificates.crt' }}"
+kolla_admin_openrc_cacert: "{{ kolla_public_openrc_cacert }}"
+
 # The multinode environment supports Manila but it is not enabled by default.
 # kolla_enable_manila: true
 # kolla_enable_manila_backend_cephfs_native: true
diff --git a/etc/kayobe/environments/ci-multinode/tempest.yml b/etc/kayobe/environments/ci-multinode/tempest.yml
@@ -0,0 +1,3 @@
+---
+# Add the Vault CA certificate to the rally container when running tempest.
+tempest_cacert: "{{ kayobe_env_config_path }}/kolla/certificates/ca/vault.crt"

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+---`
	`2`	`+# Add the Vault CA certificate to the rally container when running tempest.`
	`3`	`+tempest_cacert: "{{ kayobe_env_config_path }}/kolla/certificates/ca/vault.crt"`